LDAP-287: LdapTemplate should convert string DNs to DistinguishedNames before passing them to DirContext

[rwinch]

Original Reporter: pavel.horal Environment: Not Specified Version: 2.0.0.M1 Migrated From: https://jira.spring.io//browse/LDAP-287 Oracle's {{com.sun.jndi.ldap.LdapCtx}} (OracleJDK and OpenJDK) is converting all string based names to {{CompositeName}}. This means that it will get special handling for forward slashes and possibly other unwanted behavior.

Spring LDAP is LDAP library and {{LdapTemplate}} is supposed to work with LDAP objects. If JavaDoc says a DN string is expected, it should not have any side-effects, like misinterpretting forward slash character, which is not consistent with LDAP RFCs.

{code:java} ldapTemplate.lookup("cn=foo/bar,cn=root"); // Results in error ldapTemplate.lookup(new DistinguishedName("cn=foo/bar,cn=root")); // Works nicely {code}

I suggest to convert internally all string based DNs to {{DistinguishedName}} inside {{LdapTemplate}} methods, before handing them over to {{DirContext}}.

[rwinch]

pavel.horal said: Of course alternative approach would be to not alter current implementation, but actually warn about {{CompositeName}} syntax in JavaDoc.

[rwinch]

marthursson said: I'm considering your workaround, but to be perfectly honest I think this should really be filed as a bug in the JDK rather than Spring LDAP. It's quite clearly stated that Spring LDAP relies on Java LDAP/JNDI under the covers, even though we are sidestepping similar problems caused by {{CompositeName}}s in a number of places.

I'll have to think about this some more before deciding. Please note however that {{DistinguishedName}} has been deprecated in Spring LDAP 2.x. The recommendation is now to always use the built-in Java {{LdapName}}; there are some utilities in {{LdapUtils}} and {{LdapNameBuilder}} that helps working with these, particularly taking care of the Exceptions, which are all checked in {{LdapName}}.